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A Professional Corporation 

Fax Transmission | November 2, 2006 

TO: Commissioner for Patents FROM: Frank J. Bozzo 

ATTENTION: OFFICE OF PETITIONS TELEPHONE: 206.342.6294 

P.O. Box 1450 

Alexandria, VA 22313-1450 OUR REF: 14917.461US01 

Total pages, including cover sheet 36 PTO FAX NUMBER 1-571-273-8300 

If you do NOT receive all of the pages, please telephone us at 206.342.6200, or fax us at 
206.342.6201. 

Documents Transmitted : 

IS Fax Coversheet (in duplicate) 

El Cover letter for "Renewed Petition under 37 C.F.R. 1 , 1 37(b)" 

Request for Reconsideration 
S Petition for Revival of an Application for Patent Abandoned Unintentionally 
12 Statement or Reasons Attesting to the Delay in Filing The Response 
El Copy of RCE filed on 91 1 9/06 
IS Copy of Amendment filed on 7/13/06 

Title: METHODS AND SYSTEMS FOR CONTROLLING THE SCOPE OF 

DELEGATION OF AUTHENTICATION CREDENTIALS 
Applicant: Brezak et al. 
Serial No.: 09/886.146 
Filed: June 20. 2001 

Group Art Unit: 2153 
Confirmation No: 5712 
Our Ref. No.: 14917.461US01 

Please charge any additional fees or credit overpayment to Deposit Account No. 13-2725, Under 
37 CF.R. § 1.136(a)(3), please consider this as a constructive PETITION FOR EXTENSION OF 
TIME for a sufficient number of months and as authorization to charge the deposit account the 
appropriate fees to enter these papers in a timely fashion, If appropriate. 

I hereby certify that this paper is being transmitted by facsimile to the U.S. Patent and 
Trademark Office on the date shown below. 

November 2. 2006 By:^" 



Name; Frank 
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A Professional Corporation 



TO: Commissioner for Patents FROM:Frank J. Bozzo 

ATTENTION: OFFICE OF PETITIONS TELEPHONE: 206.342.6294 
P.O. Box 1450 

Alexandria, VA 223 1 3-1450 OUR REF: 14917.461USOI 

Total pages, including cover sheet 36 PTO FAX NUMBER 1-571-273-8300 

If you do NOT receive all of the pages, please telephone us at 206.342.6200, or fax us at 
206.342.620L 

Documents Transmitted : 

S Fax Coversheet (in duplicate) 

G3 Cover letter for "Renewed Petition under 37 C.F.R. 1 .137(b)" 

13 Request for Reconsideration 

IS Petition for Revival of an Application for Patent Abandoned Unintentionally 

IS Statement or Reasons Attesting to the Delay in Filing The Response 

M Copy of RCE filed on 9/1 9/06 

El Copy of Amendment filed on 7/13/06 

Tide: METHODS AND SYSTEMS FOR CONTROLLING THE SCOPE OF 

DELEGATION OF AUTHENTICATION CREDENTIALS 
Applicant: Brezak et al. 
Serial No.: 09/886.146 
Filed: June 20, 2001 

Group Art Unit: 2153 
Confirmation No: 5712 
Our Ref. No.: 14917.461US01 

Please charge any additional fees or credit overpayment to Deposit Account No. 13-2725. Under 
37 C.F.R. § 1.136(a)(3), please consider this as a constructive PETITION FOR EXTENSION OF 
TIME for a sufficient number of months and as authorization to charge the deposit account the 
appropriate fees to enter these papers in a timely fashion, if appropriate. 

I hereby certify that this paper is being transmitted by facsimile to the U.S. Patent and 
Trademark Office on the date shown below. 



November 2. 20Q6 



Bv: ^ 



Name: Franl 
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RECEIVED 
CENTRAL FAX CENTER 

NOV 0 2 2006 

S/N 09/886,146 PATENT 

IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 
Applicant: Brezak et al. Examiner: Yasin M. Baiqadle 

Serial No.: 09/886,146 Group Art Unit: 2153 

Filed: June 20, 2001 Docket No.: 14917.0461US01 

Title: Methods and Systems for Controlling the Scope of Delegation of 

Authentication Credentials 



CERTIFICATE UNDER37 CFR. \.6<6*. 

I hereby certify that this paper is being transmitted by facsimile to the US. Patenumd Trademark Office on November 2, 
2006. 

By: 




Narrftg Alice M. Bourn 



RENEWED PETITION UNDER 37 C.F.R. S 1.137fbl 



Attention: Office of Petitions 
Mail Stop Petition 
Commissioner for Patents 
P.O. Box 1450 

Alexandria, Virginia 223 13-1450 
Fax: (571) 273-8300 



Dear Sir: 

On behalf of the applicant, Microsoft Corporation, the undersigned attorney and attorneys 
of record, Merchant & Gould P.C., hereby renew their previous Petition to Revive an 
Unintentionally Abandoned Application filed on September 19, 2006. 

In renewing this request, the following documents are provided: 

(1) the foregoing Fax Transmission cover sheet, which includes an authorization to 
charge any applicable fees to Deposit Account No. 13-2725; 

(2) this cover letter for a Renewed Petition under 37 C.F.R. § 1.137(b); 
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(3) a Petition for Revival of an Application for Patent Abandoned Unintentionally 
under 37 C.F.R. § 1.137(b) presented on form PTO/SB/64 (09-06) as indicated by 
the Petitions Examiner; 

(4) a Request for Reconsideration; 

(5) a Statement supporting the Petition and the Request for Reconsideration offering 
additional information that the Commissioner may require attesting to the 
unintentional nature of the delay in filing a response; 

(6) a copy of the previously filed Request for Continued Examination; and 

(7) the response submitted with the Request for Continued Examination. 

A petition fee of $1,500 was previously submitted in the form of authorization to charge 
Deposit Account 13-2725 for the petition fee, as well as the fees for the Request for Continued 
Examination and any applicable extension of time fee. 

Respectfully, it is not clear from the rules whether an additional petition fee is required. 
Similarly, there does not seem to be an enumerated fee for a Request For Reconsideration. 

However, if an additional petition fee is required to support this "Renewed Petition," or if 
any other fee is required to support this Request for Reconsideration or for any other purpose 
relating to this application, this letter authorizes the OfEce to please cha rge anv such fees to 
Deposit Account 13-2725 . 
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Respectfully submitted, 

MERCHANT & GOULD P.C 
P.O. Box 2903 

Minneapolis, Minnesota 55402-0903 
(206) 342-6294 



Date: November 2, 2006 




Frank J. Bozzo 



Reg. No. 36,756 

23552 

PATENT THADEMAaxCrFfJC* 
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NOV 0 2 2006 

S/N 09/886,146 PATENT 

IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 
Applicant: Brezak et al. Examiner: Yasin M. Barqadle 

Serial No,: 09/886,146 Group Art Unit: 2153 

Filed: June 20, 2001 Docket No.: 14917.0461US01 

Title: Methods and Systems for Controlling the Scope of Delegation of 

Authentication Credentials 



CERTIFICATE UNPFR 37 CFR 1 .6fdY 

I hereby certify char this paper is being transmitted by facsimile 10 the U.S. Patent and Trademark Office on November 2, 
2006. 




Name: Alice M. Baum 



REQUEST FOR RECONSIDERATION 
OF PETITION FOR REVIVAL OF AN APPLICATION FOR PATENT ABANDONED 
UNINTENTIONALLY UNDE R 37 CJ.R. S l-137fb) 



Attention: Office of Petitions 
Mail Stop Petition 
Commissioner for Patents 
P.O. Box 1450 

Alexandria, Virginia 22313-1450 
Fax: (571) 273-8300 



Dear Sir: 

This Request for Reconsideration concerns a petition to revive an unintentionally 
abandoned patent application. The petition was originally filed via facsimile on September 19, 
2006. A facsimile Auto-Reply (attached to the supporting Statement) was generated indicating 
receipt of the petition. Nonetheless, upon later telephoning the Petitions Office, the undersigned 
attorney was told the petition had not been received. The petition was re-filed on October 2, 
2006. A decision dismissing the petition was issued October 27, 2006, and received by the 
undersigned attorney and Merchant & Gould on November 1, 2006. Of these papers, only a 
copy of the September 19, 2006, Auto-Reply is attached so as not to burden the Office with 
many documents it already possesses. 
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Petitions Examiner Karen Creasy was kind enough to speak with the undersigned 
attorney on November 2, 2006 to discuss what was lacking in the originally filed petition. The 
undersigned attorney hopes and believes to have corrected the shortcomings of the original 
petition by including a corrected Petition, using the Office's petition form, and by attaching a 
supporting Statement clarifying the original statement presented explaining why the delay 
between the due date for the reply and the filing of the petition was wholly unintentional. 

As stated and explained in the accompanying documents, the entire delay in filing the 
required reply from the due date for the required reply until the filing of what is believed to be a 
grantable petition under 37 CFR § 1. 137(b) was entirely unintentional. 

If there are any questions regarding this request for reconsideration or the petition, the 
undersigned attorney humbly requests that he be contacted at the number that appears below. 



Respectfully submitted, 

MERCHANT & GOULD P,C. 
P.O. Box 2903 

Minneapolis, Minnesota 55402-0903 
(206) 342-6294 



Date: November 2, 2006 




Reg. No. 36,756 



23552 

PATENT TRADEMARK OtfTtCQ 
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PTOfSB/64 (09-06) 
Approved for use through 03/31/2007. OMB 0851 -0031 
U.S. Patent and Trademark Office; US. DEPARTMENT OF COMMERCE 
Under Pre Paperwork Reduction Act of 1995. no persons sre required 3> respond to a collection at Information unless ft dhpaays a valid QMS conW nyrrte»f. 



PETITION FOR REVIVAL OF AN APPLICATION FOR PATENT 
ABANDONED UNINTENTIONALLY UNDER 37 CFR 1.137(b) 



Docket Number (Optional) 

14917.0461US 



First named inventor John e. Brezak 

Application No.: oa/886.146 Art Unit: 2153 

Filed: June 20, 2001 Examiner Yasin M, Barqadte 

Title: 

Methods and Systems for Control ting the Scope of Delegation of Authentication Credentials 



Attention: Office of Petitions 
Mail Stop Petition 
Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 
FAX (571) 275-8300 



NOTE: If information or assistance is needed in completing this form, please contact Petitions 
Information at (571) 272-3282. 

The above-identified application became abandoned for failure to file a timely and proper reply to a notice or 
action by the United States Patent and Trademark Office. The date of abandonment is the day after the expiration 
date of the period set for reply in the office notice or action plus an extensions of time actually obtained, 

APPLICANT HEREBY PETITIONS FOR REVIVAL OF THIS APPLICATION 



NOTE: A grantable petition requires the following items: 

(1) Petition fee; 

(2) Reply and/or issue fee; 

(3) Terminal disclaimer with disclaimer fee - required for all utility and plant applications 
filed before June 8, 1995; and for all design applications; and 

(4) Statement tnat the entire delay was unintentional. 

1. Petition fee 

I [Small entity-fee $ (37 CFR l.l7(m)>. Applicant claims small entity status. See 37 CFR 1.27. 

I / I Other than small entity - fee $ 1.500 (37 CFR 1.17(m)) **Fee previously paid- 

^ „ **If, an additional petition fee or any other fee is required, please 

2. Reply and/or fee * charge the fee to Deposit 

A, The reply and/or fee to the above-noted Office action in Account 13-2725 

the form of a Request for Continued Examination and a submitted response [id en^fi/lype of reply): 

[3 has been filed previously on 9-1 9-2005 and aoain 1 r>02-goo6 
m is enclosed herewith. 

B. The issue fee and publication fee (if applicable) of $ 

CH has been paid previously on . 

I I is enclosed herewith. 



l°»gei of 2| 

Thi s po ltecfcon of irfbrmation is required by 37 CFR 1 .137(b). The information is required to attain or retain a benefit by tne puttie wrtich b to me (and by tne 
USPTO to process) an application. Confidentiality la governed fcy 36 U.S.C. 122 ana 37 CFR i.vi and ">.14. This collection is estimaied to take 1.0 hour to 
compteta. including gathering, preparing, and submitting tho completed application form to the U5PTO. Time win vary depending upon the individual case. Any 
comments on me amount of time you require to complete tw& term and/or suggestions for reducing thl& burden, should be sent to me Chief Information Officer 
U.a Patent and Trademw* Office. U.S. Department of Commerce, P.O. Box 1460. Alexandria. VA 2231 3.145D. DO NOT SEKrD FE=£S OR COMPLETED 
FORMS TO This ADDRESS. SEND TO: Mail Stop Petition, Commissioner for Patents, P.O. Box 1450, Alexandria, VA 2Z313~?450. 

if you mm assistance in completing the form, can 1-GOO-PTO-9199 and bqIqct option 2, 
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PTOsarea (09*6) 

Approved for use through 0031/2007. OMB 0091-0031 
U S. Patent ana Trademark Office; U.S. 06=>A#rw&tT OF COMMERCE 
Under the Paperwork Reduction Act of 1995, no pereona are required to reaponfl to a coneeoon OT irtofmaticn unless it cf splays a valid OMB control mmber, 



3. Terminal disclaimer with disclaimer fee 
[/] Since this utiiityVplant application was filed on or after June 8, 1995, no terminal disclaimer is required. 



m for a small entity or $ . 



| I A terminal disclaimer (and disclaimer fee (37 CFR 1 .20(d)) of $ 

— for other than a small entity) disclaiming the required period of time is enclosed herewith (see 
PTO/SB/63). 

4. STATEMENT: The entire delay in filing the required reply from the due date for the required reply until the 
filing of a grantable petition under 37 CFR 1.137(b) was unintentional. [NOTE: The United States Patent and 
Trademark Office may require additional information ff there fe a question as to whether either the 
abandonment or the delay in filing a petition under 37 CFR 1.137(b) was unintentional (MPEP 711.03(c), 
subsections (ill)(C) and (D)).] 

WARNING: 

Petitioner/appncant is cautioned to avoid submitting personal information in documents filed in a patent application that may 
contribute to identity theft Personal information such as social security numbers, bank account numbers, or credit card 
numbers (other than a check or credit card authorization form PTO-2Q38 submitted for payment purposes) is never required by 
the USPTO to support a petition or an application. If this type of personal information is included in documents submitted to the 
USPTO, petitioners/applicants should consider redacting such personal information from the documents before submitting them 
to the USPTO. Petitioner/applicant is advised that the* record of a patent application is available to the public after publication 
of the application (unless a non-publication request in compliance with 37 CFR 1.213(a) is made in the application) or Issuance 
of a patent Furthermore, the record from an abandoned application may also be available to the public if the application is 
referenced in a published application or an issued patent (see 37 CFR 1 .14). Checks and credit card authorization forms PTO- 
2038 submitted for payment purposes re not retained in the application file and therefore are not publicly available. 

— *r~ November 2, 2006 




Frank J. Bozzo 



Date 



3S.75B 



Typed or printed name 

Merchant & Gould PC, P,Q. Box 2303 



Address 

Minneapofe. MN 55402-0903 



Registration Number, if applicable 

(206) 342-6294 

Telephone Number 



Address 

Enclosures: Q Fee Payment 
I I Reply 

I I Terminal Disclaimer Form 

GZ] Additional sheets containing statements establishing unintentional delay 

Other Request for Reconsideration Fax Transmittal. Copies of response and RCE 



CERTIFICATE OF MAILING OR TRANSMISSION [37 CFR 1.6(a)! 
I her eby c ertify that this correspondence is being: 

r~T Deposited with the United States Postal Service on the date shown below with sufficient 
postage as first class mail in an envelope addressed to: Mail Stop Petition, Commissioner for 
Patents, P. O. Box 1450, Alexandria, VA 22313-1450. 
IX I Transmitted by facsimile on the date shown belowjo the United States Patent and Trademark 
J — 1 Offigj at (571) 273-8300. ' ^ 

Date * ' Signature 

Alice M. Baum 

Typed or printed name of person signing certificate 



[Pag* 2 of 2] 
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RECEIVED 
CENTRAL FAX CENTER 

NOV 0 2 2006 

S/N 09/886,146 PATENT 

IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 
Applicant: Brezak et aL Examiner: Yasin M. Barqadle 

Serial No.: 09/886,146 Group Art Unit: 2153 

Filed: June 20, 2001 Docket No.: 149I7.0461US01 

Title: Methods and Systems for Controlling the Scope of Delegation of 

Authentication Credentials 



CEftTTPICATK IJNDKR 37 CFR l.frdl: 

I hereby certify that this paper is beiug transmitted by facsimile to the US. Patent und Trademark Office on November 2, 
2006. ~ 

Br-. 



Name Alice M Baum 



STATEMENT OF REASONS ATTESTING TO THE DELAY IN FILING THE 
RESPONSE BEING UNINTENTIONAL 

Attention: Office of Petitions 
Mail Stop Petition 
Commissioner for Patents 
P.O. Box 1450 

Alexandria, Virginia 22313-1450 
Fax: (571)273-8300 



Dear Sir: 

This Statement is filed in support of the foregoing Petition to revive an unintentionally 
abandoned application. The Statement is provided to underscore the sincerity of the statement 
that the entire delay in filing the required reply from the due date for the required reply until the 
filing of the petition under 37 CFR § 1.137(b), which the undersigned respectfully submits to be 
and hopes to be grantable, was unintentional. Because the United States Patent and Trademark 
Office may require additional information if there is a question as to whether either the 
abandonment or the delay in filing a petition under 37 CFR § 1.137(b) was unintentional, the 
undersigned provides this Statement to, it is hoped, answer any potential questions and thereby 
save the time of the Office and its Examiners in addressing the Petition. 
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In the following paragraphs, the undersigned attorney submits the following reasons why 
the delay was unintentional. The substance of these paragraphs was submitted with the Petition 
previously filed on September 19, 2006, and re-filed on October 2, 2006, as explained below. 

1 . The entire delay in filing the required reply from the due date for the reply until the 
filing of this petition, which is believed to be grantable, was unintentional. 

2. The subject application was drafted and previously drafted by the law firm of Lee & 
Hayes, PLLC, 421 West Riverside Drive, Suite 500, Spokane, Washington 99201, 
also having an office at 1101 Western Avenue, Suite 906, Seattle, Washington 98104. 

3. Until August 2006, the undersigned attorney was associated with Lee & Hayes, and 
submitted the most recent response in this case, a Response to a Final Office Action 
dated February 27, 2006, that was submitted on July 13, 2006. 

4. The undersigned attorney spoke with the Examiner, Yasin M. Barqadle, by telephone 
prior to the filing of the response, and had some optimism that the application might 
be allowed without further examination. (The undersigned attorney does NOT 
suggest that the Examiner in any way misled the undersigned attorney into believing 
that an agreement on allowance had been reached; the undersigned attorney merely 
believed that, based on the amendments to the claims submitted, that the application 
might have been allowed based on the submitted response without a Request for 
Continued Examination.) 

5. In July 2006, after the filing of the most recent response in this case, the undersigned 
attorney was offered a position with the law firm of Merchant & Gould P.C, the 
current attorneys of record in this case. The undersigned attorney accepted that offer. 

6. In August 2006, the undersigned attorney gave notice to Lee & Hayes that he would 
be leaving their employ. 

7. Subsequent to giving notice to Lee & Hayes, the undersigned attorney was relieved of 
his ongoing prosecution docket for the applicant in this case, Microsoft Corporation, 
as well as for his other clients. The only exceptions were a few enumerated matters 

2 
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for other clients that the undersigned attorney wanted to handle personally before 
leaving Lee & Hayes. 

8. The undersigned attorney was neither notified of any deadlines nor responsible for 
any further prosecution of this case, or any other cases for Microsoft Corporation, 
after mid- August 2006 while still in the employ of Lee & Hayes. 

9. The undersigned attorney's last day with Lee & Hayes was August 25, 2006, before 
the due date for a reply in this case, August 27, 2006 (although that day was a 
Sunday, thus the due date was the next business day, August 28, 2006). Prior to that 
day, the undersigned attorney had not handled any work for the applicant in weeks. 
The undersigned had not worked on the subject application since the filing of the 
response on July 13, 2006. 

10. The undersigned attorney joined Merchant & Gould on Tuesday, September 5, 2006. 

11. On information and belief, the applicant, Microsoft Corporation, had the file 
transferred to Merchant Sl Gould because Merchant & Gould is handling related 
matters for the applicant. 

12. It is not known who was in possession of or responsible for this case on file on the 
due date for the reply, or if the file literally was in the mail between Lee & Hayes and 
Microsoft, or between Microsoft and Merchant &. Gould, at that time. 

13. The undersigned attorney learned of the status of this case on Thursday, September 
14, 2006, when he learned that the file had been transferred from Lee & Hayes to 
Merchant & Gould, and that the case had gone abandoned for failure to respond. The 
undersigned attorney requested the file be sent to him right away. 

14. The undersigned attorney received a file containing documents regarding this 
application on Monday, September 18, 2006. The undersigned attorney immediately 
prepared a Petition to Revive and a supporting statement, and arranged to obtain a 
copy of the response to the most recent Office Action to be submitted with the 
Request for Continued Examination on Tuesday* September 19 7 2006. 

3 
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15. An " Auto-Reply Facsimile Transmission" was received on September 19, 2006, 
acknowledging receipt of 29 pages constituting the Petition and other documents. 
(This Auto-Reply is attached to this Statement.) 

16. The undersigned attorney submits that the failure to submit a reply by the date due 
was unintentional, as was the subsequent delay before the original filing of the 
petition on September 19, 2006. The undersigned attorney did not intend to fail to 
file a reply by the due date or at any other time. The current attorneys of record, 
Merchant & Gould, did not intend to fail to file a reply by the due date or at any other 
time. On information and belief, the former attorneys of record, Lee & Hayes, who 
represent the applicant in many other matters, did not intend to fail to file a reply by 
the due date or at any other time. The applicant, Microsoft Corporation, did not 
intend to fail to file a reply by the due date or at any other time. The delay in filing a 
response by the due date and any delay between the due date and the filing of the 
Petition was entirely unintentional. 

17. To summarize, from the date the response was due on August 28, 2006, through 
September 19, 2006, separately, the undersigned attorney who previously had worked 
on the application and the application itself were in the process of moving from Lee 
& Hayes to Merchant & Gould. As soon as it was realized that a response had been 
due and had not been filed, the undersigned attorney worked to prepare a petition to 
revive the application and submitted it to the Office. The entire delay between the 
due date for the response and the filing of the Petition and response was 
unintentional. To the contrary, when the delay was noticed, as quickly as possible, 
the undersigned attorney acted to file a petition to revive the application to 
demonstrate its intention that the application not go abandoned. 

18. Upon checking on the status of the petition, the Petitions Office notified the 
undersigned attorney on October 2, 2006, that the Petition apparently had not been 
received. Accordingly, that same day, the undersigned attorney re-filed the petition, 
along with copies of the Request for Continued Examination and a submitted 
response. This copy was received and logged m the Patent Application Information 

4 
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Retrieval System. Any further delay between the due date for the response and the 
re-filing of the Petition on October 2, 2006, also was unintentional. 

1 9. Again, the undersigned attorney received an Auto-Repiy on which he relied to believe 
the Petition had been filed on September 19, 2006. The undersigned attorney 
followed up to determine if the petition had been received, and upon finding that the 
petition had not been received, immediately re-filed the documents. There was no 
intent to further delay filing of the response previously due. 

20. The undersigned attorney contacted the Petitions Examiner to ensure the re-filed 
Petition had been received, and confirmed that it had been received. 

21. On November 1, 2006, the undersigned attorney and Merchant Sl Gould received the 
decision dismissing the petition. 

22. On that same day, the undersigned attorney telephoned the Petitions Examiner to ask 
about the application. The undersigned attorney left a voicemail message for the 
Petitions Examiner. 

23. On the morning of the next day, November 2, 2006, the undersigned attorney again 
telephoned the Petitions Examiner, and left another voicemail message. 

24. Shortly thereafter, the Petitions Examiner was kind enough to telephone the 
undersigned attorney and explain the discrepancies in the previously filed Petition 
that led to its dismissal. The undersigned attorney appreciates the Petition 
Examiner's time, and apologizes for the discrepancies that have consumed the 
Petition Examiner's time. 

25. On November 2, 2006, the day after receiving notice of the dismissal of the Petition, 
the undersigned attorney and Merchant & Gould file this Request for 
Reconsideration, a corrected Petition for Revival, this supporting Statement, and 
copies of the Request for Reconsideration and the submitted response. 

26. Again, respectfully, between the due date for the reply and the first filing of the 
petition, the re-filing of the petition, and the filing of this Request, the entire delay in 

5 
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filing the required reply from the due date for the required reply until the filing of a 
believed-to-be grantable petition under 37 CFR § 1.137(b) was unintentional. 

CONCLUSION 

for the foregoing reasons, the undersigned attorney humbly requests reconsideration of 
this Petition and revival of this application, so that the Examiner can consider the Request for 
Continued Examination and the response to Office Action filed herewith. Again, the entire 
delay in filing the required reply from the due date for the required reply until the filing of 
the petition tmder 37 CFR § 1.137(b) was unintentional. The undersigned have acted as 
quickly as possible to pursue the Petition, as explained in the foregoing paragraphs. 

If the Examiner or anyone with the Office has any questions, please do not hesitate to 
contact the undersigned attorney at the below-listed telephone number. 



Respectfully submitted, 



MERCHANT & GOULD P,C. 
P.O. Box 2903 

Minneapolis, Minnesota 55402-0903 
(206) 342-6294 



Date: November 2, 2006 




Frank J. BozZo 
Reg. No. 36,756 



23552 



PATUNT TRADEMARK OFFICE 
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Serial No.: 09/886,1 46 Group Art Unit: 21 53 
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AMENDMENT AND RESPONSE 
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. RECEIVED 

* : C ENtRAL FAX CENTER 

NOV 02 2006 

INTRODUCTORY COMMENTS 

This communication is filed with a Request for Continued Examination and a Petition to 
Revive an Unintentionally Abandoned Application, and is responsive to the Office Action dated 
February 27, 2006. The content of the response is the same as that filed on July 1 3, 2006, for 
which an Advisory Action was issued August 30, 2006. Please amend the above-captioned 
application as follows: 

Amendments to the Claims begin on page 3 of this document. 
Remarks begin on page 16 of this document. 
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AMENDMENTS TO THE CLAIMS 

Claims 1-2, 4-17, 19-27, 29-35, 38-41, 43-50, 52-58, and 60-61 were pending at the time 
of the Action. 

Claims 1, 10, 12, 16, 24, 26, 31, 38, 49, and 58 are amended. 

Claims 1-2, 4-17, 19-27, 29-35, 38-41, 43-50, 52-58, and 60-61 remain pending. 

1 - (Currently Amended) A method for constraining a scone of delegation bv 

a client to a server, comprising: 

identifying a target service to which access is sought on behalf of a client; 

causing a server operatively coupled to the client to request access to the target service on 
behalf of the client, from a trusted third-party, wherein the server provides the trusted third-party 
with a credential authenticating the server, information about the target service, and a service 
credential previously provided by the client to the server; and 

causing the trusted third-parry to provide the server with a new service credential granted 
in the name of the client rather than the server such that the new service credential authorizes the 
server to access the target service on behalf of the client while withholdin g a client's 
authentication cred entials from the server, wherein the new service credential granted in the 
name of the client is constrained to a scope specified bv the service credential previously 
provided bv the client to the server . 

2. (Original) The method as recited in Claim 1, wherein the trusted third-party 
includes at least one service selected from a group of services comprising a key distribution 
center (KDC) service, a certificate granting authority service, and a domain controller service, 

3. (Canceled). 

4. (Previously Presented) The method as recited in Claim 1 , wherein the new 
service credential is configured for use by the server and the target service to which access is 
sought 
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5 . (Previously Presented) The method as recited in Claim 1 , wherein the 
credential authenticating the server is a ticket that includes a ticket granting ticket associated 
with the server. 

6. (Original) The method as recited in Claim 1, further comprising: 
causing the trusted third-party to verify that the client has authorized delegation. 

7. (Original) The method as recited in Claim 6 T wherein: 
the trusted third-party includes a key distribution center (KDC); and 

causing the trusted third-party to verify that the client has authorized delegation includes 
verifying the status of a restriction placed on the ticket originating from the client. 

8. (Original) The method as recited in Claim 1 , further comprising: 
causing the trusted-third-party to selectively determine if the client is allowed to 

participate in delegation either based on information selected from a group comprising an 
identity of the client, a group affiliation associated with the client. 

9. (Original) The method as recited in Claim 1 , wherein the server is a front-end 
server with respect to a back-end server that is coupled to the front-end server, and wherein the 
back-end server is configured to provide the target service to which access is sought. 

1 0. (Currently Amended) The method as recited in Claim 1 , wherein: 
the trusted third-party includes a key distribution center (KDC); 

the KDC provides the client's authentication credentials asa ticket-granting-rjeket 
associated with the client to the client; and 

the client does not provide the ticket granting ticket to the server. 

1 1 . (Original) The method as recited in Claim 1 » wherein: 
the trusted third-party includes a key distribution center (KDC); and 

the server requests the new credential in a ticket granting service request message that 
includes a service ticket provided by the client to the server. 
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1 2. (Currently Amended) A method for constraining the scope of authentication 
credential delegation J3v_a client to a server, c omprising: 

identifying a target service to which access is sought on behalf of a client; and 

causing a server operatively coupled to the client to request access to the target service on 
behalf of the client, from a trusted third party, wherein the server provides the trusted third party 
with a service credential authenticating the server, information about the target service, and a 
service credential previously provided by the client for the service, and wherein the service 
credential previously provided bv the client includes implementation-specific identity 
informatio n constraining a scope of access delegated to the server and 

causing the trusted third-party to provide the server with a new service credential granted 
in the name of the client rather than the server such that the new service credential authorizes the 
server to access the target service within the scone of access specified in the implementation- 
specific identity information . 



1 3. (Original) The method as recited in Claim 12, wherein the implementation- 
specific identity information, includes information selected from a group comprising privilege 
attribute certificate (PAC) information, security identifier information, Unix identifier 
information, Passport identifier information, certificate information. 

14. (Original) The method as recited in Claim 13, wherein the PAC information 
includes compound identity informatiorj . 

1 5. (Original) The method as recited in Claim 1 3, wherein the PAC information 
includes access control restrictions for use as delegation constraints. 

16. (Currently Amended) A computer-readable medium having computer-executable 
instructions for performing tasks for constraining a scone of delegation bv a client to a server. 
comprising: 

in a server, determining a target service to which access is sought on behalf of a client 
coupled to the server; 
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requesting a new service credential from a misted third-party by providing the trusted 
third-party with a credential authenticating the server, information about the target service, and a 
service credential associated with the client and the requesting server snch that issuance of the 
new service credential authorizes the server to access the service on behalf of the client while 
within a scope of delegation authorized bv the client . 

1 1. (On ginal) The computer-readable medium as recited in Claim 16, wherein 
the trusted third-party includes at least one service selected from a group of services comprising 
a key distribution center (KDC) service, a certificate granting authority service, and a domain 
controller service. 

18. (Canceled). 

1 9. (Previously Presented) The computer^readable medium as recited in Claim 
16, wherein the service credential is configured for use by the server and the target service. 

20. (Previously Presented) The computer-readable medium as recited in Claim 
16, wherein the credential authenticating the server includes a ticket granting ticket associated 
with ihe server. 

21. (Original) The computer-readable medium as recited in Claim 16, further 
comprising: 

causing the trusted third-party to verify that the client has authorized delegation, 

22. (Original) The computer-readable medium as recited in Claim 2 1 , wherein: 
the trusted third-party includes a key distribution center (KDC); and 

causing the trusted third-party to verify that the client has authorized delegation includes 
verifying the status of a foiwardable flag value as set by the client 
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23. (Original) The computer-readable medium as recited in Claim 16, wherein 
the server is a front-end server with respect to a back-end server coupled to the front-end server, 
and wherein the back-end server is configured to provide the target service. 

24. (Currently Amended) The computer-readable medium as recited in Claim 16, 
wherein: 

the trusted third-party includes a key distribution center (KDC); 
the KDC provides to the client authentication credentials of the client as^a ticket- 
granting-ticket associated with the client to the client; and 

the client does not provide the ticket granting ticket to the server. 

25. (Original) The computer-readable medium as recited in Claim 16, wherein: 
the trusted third-party includes a key distribution center (KDC); and 

the requesting server requests the new service credential in a ticket granting service 
request message that includes a service ticket provided by the client to the server, 

26. (Currently Amended) A system comprising: 

a credential granting mechanism configured to receive a request for a new service 
credential from a server and in response generate the new service credential granted in the name 
of a client rather than the server if delegation is allowable, and wherein the request includes: 

a credential authenticating the requesting server, 

identifying information about a target service to which access is sought on behalf of the 
client coupled to the server, and 

a service credential that was previously granted to the client for use with the server and 
presenting a forwardab le dele g ation flag indicating the client has authorized the delegation 
within a sc one delegated bvthe client . 
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27. (Original) The system as recited in Claim 26, wherein the credential granting 
mechanism is provided by a trusted third party and includes at least one service selected from a 
group of services comprising a key distribution center (KDQ service, a certificate granting 
authority service, and a domain controller service. 

28. (Canceled). 

29. (Previously Presented) The system as recited in Claim 26, wherein the 
service credential is configured for use by the server and the target service, 

30. (Previously Presented) The system as recited in Claim 26, wherein the 
credential authenticating the server includes a ticket granting ticket associated with the server, 
and which was previously granted by the credential granting mechanism. 

31. (Currently Amended) A system for constraining the scope of delegation by a 
client to a server, comprising: 

a server configured to generate a request for a new service credential in the name of a 
client rather than the server from a trusted third-party, the new service credential being 
associated with a client and a target service, the request comprising: 

a credential authenticating the server, 

information about the target service, and 

a service credential associated with the client and the serve r wherein the server is 
constrained to acce ss the target service within a scope specified bv the client . 

32. (Original) The system as recited in Claim 31, wherein the trusted third-party 
includes at least one service selected from a group of services comprising a key distribution 
center (KDC) service, a certificate granting authority service, and a domain controller service. 

33. (Original) The system as recited in Claim 31 , wherein the credential 
authenticating the server includes a ticket granting ticket associated with the server. 
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34. (Original) The system as recited in Claim 3 1 , wherein the server is a front- 
end server with respect to the service. 

35. (Original) The system as recited in Claim 3 1 , wherein the server requests the 
new service credential in a ticket granting service request message that includes the service ticket 
associated with the client and the server. 

36. (Withdrawn) A computer-readable medium having stored thereon a data 
structure, comprising: 

a credential authenticating a first server, 

information identifying a second server, and 

a service credential associated with a client and the first server. 

37. (Withdrawn) The computer-readable medium as recited in Claim 36, wherein 
the credential authenticating the first server includes a ticket-granting-ticket (TGT) and the 
service credential includes a service ticket. 

38. (Currently Amended) A method comprising: 
separately authenticating a server and a client; 
providing the server with a server ticket granting ticket; 

providing the client with a client ticket granting ticket and a service ticket for use with the 

server; 

providing the server with a new service" ticket in an identity of the client rather than an 
identity of the server for use by the server for use with a new service while withholding from the 
seryerwithout requiring the server to have access to the client ticket granting ticke ttherebv 
constrainin g delegation of the client ticket granting ticket 

39. (Original) The method as recited in Claim 38, further comprising: 
causing the server to request the new service ticket on behalf of the client by forwarding 

the server ticket granting ticket, information identifying the new service, and the service ticket to 
a trusted third party. 
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40. (Currently Amended) A method for constraining a scope of delegation bv a client 
to a server, c omprising: 

identifying a Target service to which access is sought on behalf of a client that has been 
authenticated using a first authentication method; 

causing a server that is operatively coupled to the target service and the client to request a 
service credential to itself from a second authentication method trusted third-party by identifying 
the client and the first authentication protocol method ; and 

causing the server to request from the second authentication method trusted third-party, a 
new service credential in an identity of the client rather than an identity of the server, for use by 
the server and the target service^ from the second authentication method trusted third-party, 
wherein the server provides the trusted third-party with a credential authenticating the server to 
access the target service within a scope constrained bv the client, information about the target 
service, and the service credential to itself. 

4 1 . (Original) The method as recited in Claim 40, wherein the second 
authentication method trusted third-party includes at least one service selected from a group of 
services comprising a key distribution center (KDC) service, a certificate granting authority 
service, and a domain controller service. 

42. (Canceled). 

43. (Previously Presented) The method as recited in Claim 40, wherein the 
service credential is configured for use by the server and the target service to which access is 
sought. 

44. (Previously Presented) The method as recited in Claim 40, wherein the 
credential authenticating the server includes a ticket granting ticket associated with the server. 
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45. (Original) The method as recited in Claim 40, further comprising: 
upon receiving a request for the new service credential from the server, causing the 

second authentication method trusted third-party to verify that the client has authorized 
delegation. 

46. (Original) The method as recited in Claim 40, wherein the server is a front- 
end server with respect to a back-end server that is coupled to the front-end server, and wherein 
the back-end server is configured to provide the target service. 

47. (Original) The method as recited in Claim 40, wherein the first authentication 
method is selected from a group of authentication methods comprising Passport, SSL, NTLM, 
and Digest. 

48. (Original) The method as recited in Claim 40, wherein the second 
authentication method includes a Kcrberos authentication protocol. 

49. (Currently Amended) A computer-readable medium having computer-executable 
instructions for performing tasks for constraining a sco pe ^>f rip r 1ft ^ flt io n bv a client to a server. 
comprising: 

identifying a target service to which access is sought on behalf of a client that has 
been authenticated using a first authentication method; 

causing a server that is operarively coupled to the target service and the client to 
request a service ticket to itself from a second authentication method trusted third-party by 
identifying the client and the first authentication method protocol; and 

causing the server to request a new service ticket in an identity of the client rather 
than an identity of the server, for use by the server and the identified service, from the second 
authentication method trusted third-party, wherein the server provides the trusted third-party with 
a ticket authenticating the serve r to act within a scone of delegation permitted bv the client 
information about the target service, and the service ticket to itself. 
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50. (Original) The computer-readable medium as recited in Claim 49, wherein 
the second authentication method trusted third-party includes a key distribution center (KDC), 

51. (Canceled). 

52. (Previously Presented) The computer-readable medium as recited in Claim 
49, wherein the service ticket is configured for use by the server and the target service. 

53 . (Previously Presented) The computer-readable medium as recited in Claim 
49, wherein the ticket authenticating the server includes a ticket granting ticket associated with 
the server. 

54. (Original) The computer-readable medium as recited in Claim 49, further 
comprising: 

upon receiving a request for the new service ticket from the server, causing the second 
authentication method trusted third-party to verify that the client has authorized delegation. 

55. (Original) The computer-readable medium as recited in Claim 49, wherein 
the server is a front-end server with respect to a back-end server that is coupled to the front-end 
server, and wherein the back-end server is configured to provide the target service. 

56. (Original) The computer-readable medium as recited in Claim 49, wherein 
the first authentication method is selected from a group of authentScation methods comprising 
Passport SSL, NTLM, and Digest. 

57. (Original) The computer-readable medium as recited in Claim 49, wherein 
the second authentication method includes a Kerberos authentication protocol 
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58. (Currently Amended) A system for constraining a scop e of de^^ Hon bv a plieqi; 
to a server comprising: 

a server configurable Co: 

identify a target service to which access is sought on behalf of a client that has 
been authenticated using a first authentication method, 

request a service credential to itself from a second authentication method trusted 
third-party by identifying the client and the first authentication method, and 

subsequently request a new service credential, for use by the server and the target 
service, from the second authentication method trusted third-party, 

wherein the server provides the second authentication method trusted third-party 
with a credential authenticating the server, information about the target service, and the service 
credential to itself in an identity of the client rather than the serve r such that a scope of 
delegation authorized bv the client constrains access bv the server to the target service as 
authorized bv the client . 

59. (Canceled). 

60. (Previously Presented) The system as recited in Claim 58, wherein the new 
service credential is configured for use by the server and the target service. 

61 . (Previously Presented) The system as recited in Claim 58, wherein the 
credential authenticating the server includes a ticket granting ticket associated with the server. 
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REMARKS 

Applicants respectfully requests reconsideration and allowance of subject application. 
Claims 1 -2, 4-17, 19-27, 29-35, 38-41, 43-50, 52-58, and 60-61 were pending at the time of the 
Action. Claims 1,10, 12, 16, 24, 26, 31, 38, 40, 49, and 58 are amended. Claims 1-2, 4-17, 19- 
27, 29-35, 38-41, 43-50, 52-58, and 60-61 remain pending. 

Applicants appreciate the Examiner taking the time to speak with their attorney regarding 
the Office Action, 

Claim Rejections under 35 U.S.C. S 102 

Claims 1-2, 4-17, 19-27, 29-35, 38-41, 43-46, 48-55, 57-58, and 60-61 are rejected under 
35 U.S.C § 102 as being anticipated by Fox et al., "Security on the Move: Indirect 
Authentication Using Kerberos" (1996) (hereinafter "Fox"). Applicants respectfully traverse the 
rejection. 

In the interest of reducing the number of issues for the Examiner to consider in this 
response, the following discussion focuses on independent Claims 1, 12, 16, 26, 31 ? 38, 40, 49, 
and 58. The patentability of each remaining dependent claim is not necessarily separately 
addressed in detail. However, applicants' decision not to discuss the differences between the 
cited art and each dependent claim should not be considered as an admission that applicants 
concur with the Examiner's conclusion that these dependent claims are not patentable over the 
disclosure in the cited references. Similarly, applicants' decision not to discuss differences 
between the prior art and every claim element, or every comment made by the Examiner, should 
not be considered as an admission that applicants concur with the Examiner's interpretation and 
assertions regarding those claims. Indeed, applicants believe that all of the dependent claims 
patentably distinguish over the references cited. Moreover, a specific traverse of the rejection of 
each dependent claim is not required, since dependent claims are patentable for at least the same 
reasons as the independent claims from which the dependent claims ultimately depend. 

By way of introducing the context in which the invention was made and some of the 
problems which it addresses, the specification of the subject application addresses the problem of 
unconstrained forward target delegation. Generally, the user logon for a computer and the user 
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authentication for network access control are two separate procedures. Nevertheless, to 
minimize the burden on a user in dealing with the different access control schemes, the user 
logon and the user authentication for network access are sometimes performed together. For 
example, in the case where the user authentication is implemented under the Kerberos protocol, 
when the user logs on the computer, the computer may also initiate a Kerberos authentication 
process. In the authentication process, the computer contacts a Kerberos Key Distribution 
Center (KDC) to first obtain a ticket-granting ticket (TGT) for the user. The computer can then 
use the TGT to obtain from the KDC f a session ticket for itself. 

As networks have evolved, there has been a trend to have multiple tiers of server/service 
computers arranged to handle client computer requests. A simple example is a client computer 
making a request to a World Wide Web website via the Internet. Here, there may be a fiom-end 
web server that handles the formatting and associated business rules of the request, and a back* 
end server that manages a database for the website. For additional security, the web site may be 
configured such that an authentication protocol forwards (or delegates) credentials, such as, e.g., 
the user's TGT, and/or possibly other information from the front-end server to a back-end server. 
This practice is becoming increasingly common in many websites, and/or other multiple-tiered 
networks. 

Thus, any server/computer in possession of the user's TGT and associated authenticator 
can request tickets on behalf of the user/client from the KDC This capability is currently used to 
provide forwarded ticket delegation. Unfortunately, such delegation to a server is essentially 
unconstrained for the life of the TGT. 

With this in mind, methods and systems are provided to constrain or otherwise better 
control the delegation process. The methods and systems can be used with different 
authentication protocols. The delegation process is controlled in certain exemplary 
implementations through a service-fbr-user-to-proxy (S4U2proxy) technique. The S4U2proxy 
technique is preferably implemented as a protocol that allows a server or service, such as, e.g., a 
front-end server/service, to request service tickets on behalf of a client for use with other 
servers/services. As described in greater detail below, the S4TJ2proxy protocol advantageously 
provides for constrained delegation in a controllable manner that does not require the client to 
forward a TGT to the front-end server. 
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With the utmost respect for the Office Action and the Examiner, the concern recited in 

the specification of the present application with regard to unconstrained delegation is the same 

problem that is expressly conceded Fox and its description of "Charon, a proxied implementation 

of Kerberos " (Fox, Section 1.3, Page 155, Column 2, Paragraph 1). As cited by the Office 

Action, this proxied implementation not only allows, but supports, unconstrained delegation: 

An alternative approach to service access that places more trust in 
Charon is for the client to reveal Kc,tgi to Charon over the established secure 
channel, thus allowing Charon to negotiate for Kerberized services directly." 

(Fox, Section 2.3, Page 158, Column 2, Paragraph 3; emphasis added). As explained by Fox, 
"Kcigs" is a key generated by a key distribution center and disclosed to the principals and y," 
which in the case of "K*^" would be the client, c, and the Kerberos ticket-granting server. (Fox, 
Page 157, Column 2, Section 2.2, Paragraphs 3, 8, and 12). Thus, the passage cited by the Office 
Action expressly contemplates exposing the key disclosed to the client and the ticket-granting 
service to the proxy, Charon. Thus, the passage of the cited reference relied upon by the Office 
Action expressly allows for unconstrained delegation. 

Not only does this passage of Fox allow for unconstrained delegation, but later in 
the same paragraph, Fox expressly concedes what a significant problem unconstrained delegation 
presents: 

"In this approach, Charon still doesn't have the user's Kerberos password, 
but because it has K^^* it can do more damage should it be comprised. 
Specifically an attacker who controls can impersonate the client for the 
lifetime of the TGT, requesting additional services that the client has not 
authorized The ticket lifetime* which is specified at the time the TGT is 
requested, may be as lengthy as several hours, which presents a potentially 
large window during which attackers could cause damage. This second 
approach potentially increases convenience to the user at the cost of decreased 
security." 

(Fox, Section 2.3, Page 1 58, Column 2, Paragraph 3 through Page 159, Column 1, Paragraph 1; 
emphasis added). Clearly, Fox's Charon system considers and tolerates a problem what was 
both recognized and discussed in the specification of the present application. 

Applicants wish to note that, the "first approach" of Fox, described in Section 2.3, Page 
1 58, Column 2, Paragraph 2, describes a process wherein neither the Charon password nor Kc jt3s , 
are provided by the client to the server; however, a session key is provided by the client to the 
proxy, allowing the proxy to operate on the client's behalf. Thus, in both approaches described 
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by Fox, a client expressly provides to a proxy or server a client authentication, which the proxy 
or server then can put to its own use. 

By contrast, for example, what is recited in claim 1 is distinct from what is recited by 

Fox: 

1 . (Currently Amended) A method for constraining a scope of 

delegation by a client to a server, c omprising: 

identifying a target service to which access is sought on behalf of a client; 

causing a server operatively coupled to the client to request access to the 
target service on behalf of the client, from a trusted third-party, wherein the server 
provides the trusted third-party with a credential authenticating the server, 
information about the target service, and a service credential previously provided 
by the client to the server; and 

causing the trusted third-party to provide the server with a new service 
credential granted in the name of the client rather than the server such that the 
new service credential authorizes the server to access the service on behalf of the 
client w^fe wiftihnlHina a client's authentication credentials from the server. 
wherein the new service credential granted in the name of the client is constrained 
to a scope s pecified bv the service credential previously provided bv the client to 
the server . 

Respectfully, Fox teaches exposing client authentication credentials to a proxy or server, leading 
to the possibility of unconstrained delegation. By contrast, claim 1 as amended expressly recites 
constraining the scope of delegation by withholding the client's authentication credentials from 
the server. Fox foils to teach or suggest what is recited by claim 1, Thus* Claim 1 is not 
anticipated by Fox. 

Independent claims 12, 16, 31, 38, 40, and 58 also are currently amended to recite 
methods and systems of constrained delegation that limit the scope of access permitted to a 
server to that scope permitted by a client. Accordingly, for reasons analogous to those submitted 
above with respect to Fox, applicants submit that claims 12, 16, 3 1, 38, 40, 49, and 58 are not 
anticipated by Fox. 

Claim 26, as amended, further distinguishes over the reference cited. Specifically, claim 
26 recites presenting a forwardable delegation flag indicating the client has authorized the 
delegation." Applicants respectfully note that the Office Action does not expressly reference 
such an element The Office Action mentions, without citation, that "Verifying authorized 
delegation is inherently implied in a system that uses Koberos." However, the Office Action 
does not specify or cite authority for the proposition that such verification is so inherently 
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implied. Moreover, the Office Action's reliance on such' an implication certainly fails to recite a 
mechanism by which such authentication is made. Thus, the "presenting of a fonvardable flag" 
is neither mentioned nor even contemplated by the cited reference. Therefore, applicants submit 
that claim 26 as amended further distinguishes over the reference cited. 

Claims 2, 4-H, 13-15, 17, 19-25, 27, 29-30, 32-35, 39-41, 43-46, 48, 50, 52-55, 57, and 
60-61 are dependent claims that depend from and apply additional limitations to the claims from 
which each depends. Thus, each of claims 2, 4-1 1, 13-15, 17, 19-25, 27, 29-30, 32-35, 39^1, 
43-46, 48, 50, 52-55, 57, and 60-61 is also patentable for at least the same reasons as the 
independent claim from which it depends. 



Claim Rejections under 35 TJ.S.C, 6 103 

Claims 47 and 56 once again rejected under 35 U.S-C- § 1 03(a) as being obvious over 
Fox in view of Freier et aL, "The SSL Protocol Version 3.0" (November 18, 1996). Claims 47 
and 56 depend from claims 40 and 59, respectively. Because dependent claims 47 and 56 are 
patentable for at least the same reasons as the claims from which they depend, and add additional 
limitations to those claims, applicants request that the rejection similarly be withdrawn from 
claims 47 and 56. 
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CONCLUSION 

Claims 1-2, 4-17, 19^27, 29-36, 38-41, 43-50, 52-58, and 60-61 are in condition for 
allowance. Applicant respectfully requests entry of the amendment, and reconsideration and 
prompt allowance of the subject application. If any issue remains unresolved that would prevent 
allowance of this case, the Examiner is requested to contact the undersigned attorney to resolve 
the issue. 



Respectfully submitted, 

MERCHANT & GOULD P.C. 
P.O. Box 2903 

Minneapolis, Minnesota 55402-0903 
(206) 342-6200 



Date: September 19, 2006 
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